Introduction to Advanced Malware Protection (AMP)
Рет қаралды 55,096
Күн бұрын
@aceventuraaceventura2003 7 ай бұрын
Wow, that's all it was, it was so confusing the way documents explains it. This is by far the best explanation on AMP I have seen to date, thank you.
@rickysandhu3916 5 жыл бұрын
This is the best explanation of the entire AMP process I've seen. Finally the concept is now clear. Never had a clear understanding of how all the pieces fit in together until now. Thank you!
@baburali428 2 жыл бұрын
This is the best ever and simple explanation of the entire AMP process. Now the AMP concept is clear. Thank you!
@rajakaruppasamy4559 5 жыл бұрын
Excellent video! Simple but very clear on the concepts!!! Thanks Brain!
@gasha.1 6 жыл бұрын
Amazing video!! Clear concept! Thankyou Brian:)
@sidss007 Жыл бұрын
What an amazing video !!! Best explanation of AMP.
@binou3655 6 жыл бұрын
Simple and very nice presentation. Thank you Brian:).
@asaman1974 4 жыл бұрын
Excellent explanation
@N1kRolexx 4 жыл бұрын
Where can I find such a blackboard?)
@logicfirst7959 7 жыл бұрын
Isn't counter intuitive to use 2 step verification to improve upon file disposition? What information does the Threat Grid has that the AMP database doesn't that qualifies for an improved disposition on that file? If Threat Grid has this sort of advance disposition feature, it should be in sync with AMP Cloud at all times to display correct disposition on the first attempt. Secondly, on Firepower Access control policy's advance section (Files and Malware Settings) is defaulted at "Allowing file if cloud lookup for the block Malware takes longer then (2) seconds". What if this entire process is taking longer then 2 seconds, the file is allowed.
@jdwegner 7 жыл бұрын
Threat Grid is a sandboxed VM that opens/runs the file in question, examining the _behaviors_ and returning a threat score. AMP cloud is simply a lookup in a database of previously encountered files. TG can detect zeo-days, the basic AMP database cannot. TG is invoked only if AMP returns a disposition of "unknown."
@NeuroScientician 7 жыл бұрын
is he writing it all backward/reversed on a glass?
@IvanRadevRadev 7 жыл бұрын
He write it properly, then the editor flips the video and it seems nice to us.
@cryptobox128 7 жыл бұрын
Yes. I am actually right-handed in real life!
@brock7147 5 жыл бұрын
@@cryptobox128 So you did write it all backwards in realtime?
@cryptobox128 5 жыл бұрын
No, I wrote it normally and they mirror-imaged it in software. I'm not left-handed. (Hat tip to any Princess Bride fans out there...)@@brock7147
@bigmacdoubleyouv 5 жыл бұрын
This was my first thought upon seeing this video.
@minhat5182 Жыл бұрын
So, Is AMP use SSL inspection for detecting threat sir? or it 100% through the AMP cloud . Regards.
@CiscoSystems Жыл бұрын
AMP does not use SSL inspection for detecting threats. Instead, it focuses on file inspection and analysis, leveraging various techniques such as machine learning, behavioral analysis, and cloud-based threat intelligence. We hope this information helps!
@imranhaider8876 6 жыл бұрын
A 480P video in 2016, really Cisco?
@happosade 6 жыл бұрын
Maybe they run out of bw.
@pja8901 5 жыл бұрын
If this is running on Firepower or ESA, how would AMP handle the encrypted data? Would we need to run HTTPS inspection in the middle for example?
@CiscoSystems 5 жыл бұрын
Please visit the Cisco Community for a discussion about AMP running on Firepower and HTTPS/encryption: community.cisco.com/t5/firepower/amp-and-amp-for-endpoint-differences-and-https-encryption/td-p/3016371
@MrTheAlexy 6 жыл бұрын
And how the TG gives the scores. The peace of code is either malicious or not, giving score point pushed us to assumption based on probability. What if TG is wrong?
@CiscoSystems 6 жыл бұрын
Cisco Threat Grid has a robust and intelligent dynamic analysis engine. The mechanisms it uses to detect malware are constantly updated with the latest threat data, to provide the most accurate results possible. Threat Grid will always provide a complete report for you to review if a decision needs to be changed (can return from quarantine in the AMP console). Threat Grid and AMP also have built in guard rails to prevent conviction of system files that could score poorly based on their behavior.
@n1cktion 6 жыл бұрын
What is the point of the SHA-256 encryption?
@CiscoSystems 6 жыл бұрын
Hi Nicholas. The SHA-256 is a one-way cryptographic hash by definition, all communications between endpoints and the cloud are always encrypted because in certain cases, potentially sensitive data (such as file name and parent process) can be sent with a SHA 256. It is not just the SHA-256 that is encrypted, it is all of the data.
@n1cktion 6 жыл бұрын
Understood, thank you. After using the AMP dashboard further, it's clearer as to why now as well. I appreciate the response!
@AnkurSingh-mq4qf 5 жыл бұрын
does my every file which i have downloaded or copied from any sources get submitted to AMP and AMP TG holds the whole content of the file
@CiscoSystems 5 жыл бұрын
Hi Ankur. AMP will calculate a SHA 256 on every file, this is a single HASH value that cannot be used to reconstruct the file. Only files that are suspect (and configured to) will be uploaded in their entirety to Threat Grid Cloud for analysis. There are also settings to make sure files that do get submitted are done so “privately” so the contents and result of the dynamic analysis are only accessible by your organization.
@qamarislam1851 7 жыл бұрын
Hi Brian, Thanks for the information. If we have private cloud on premises and also Cisco Thread Grid Appliance on premises. If the end point is at home and he download the malicious file at home and then how it works on the private cloud. The End point send file SHA256 to the on promises private cloud or what happened?
@cryptobox128 7 жыл бұрын
With AMP Private Cloud and remote/mobile endpoints, you would have to ensure that the endpoint is able to reach the AMP PC server (TCP port 443). That will enable the AMP file reputation lookups, policy, retrospective events, etc. For the on-prem Threat Grid appliance, the case is actually easier, because the sample file is not sent directly from the endpoint to TG. Instead, AMP does a "file fetch" operation into the (public or private) cloud, and so you just need to make sure that your AMP PC and your TG can communicate locally.
@rccypher 7 жыл бұрын
This response is accurate. However it is also important to note that the AMP Private Cloud must be configured to use FQDN's that are available both on the internet and the intranet. This can be accomplished via split-DNS or DNS-zones. However, just opening TCP 443 without properly configuring DNS will not work.
@logicfirst7959 7 жыл бұрын
Qamar, the home user is authenticated on the firewall using passive or active authentication methods on the firewall. From there, the firewall handles the file operations based on the file blocking profile. Hope it answers the question.
@josegavalos8255 6 жыл бұрын
what does amp do if the threat score of the unknown file is 94. 94 is still very high
@CiscoSystems 6 жыл бұрын
Hi Jose. Cisco AMP will only auto quarantine a score of 95 or higher, a score of 94 will be logged and you will be able to review the report and make a decision to quarantine or not.
@arian7472 5 жыл бұрын
ok Good
@secretboys1906 4 жыл бұрын
AMP sucks! I have to go around my company with the free version of malwarebytes because my company wasted thousands of dollars on this stupid endpoint solution.
@CiscoSystems 4 жыл бұрын
We're sorry to hear about this, and will share your feedback directly with the team. Please also reach out to us via TAC@cisco.com for support. Thank you.
Cisco Secure Network Analytics
Рет қаралды 12 М.